Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
High privileges and user interaction required for injection; scope change confirmed; availability impact removed as XSS does not cause denial of service.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Author Cross Site Scripting (XSS) in Hester Core <= 1.1.8 versions.
AnalysisAI
Stored/reflected Cross-Site Scripting in the Hester Core WordPress plugin (versions ≤ 1.1.8) allows a high-privileged authenticated user to inject malicious JavaScript into author-related fields, which then executes in victims' browsers when they view affected content. The CVSS scope change (S:C) confirms the injected script escapes the originating context and impacts other users' sessions, potentially enabling session hijacking, credential theft, or malicious redirects. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session with high WordPress privileges (PR:H) - specifically an account capable of editing author fields, such as the Author, Editor, or Administrator role. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-reported CVSS score of 5.9 (Medium) reflects the meaningful constraint of PR:H - exploitation requires a high-privilege WordPress account (administrator or author role), sharply limiting the attacker population. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or compromised a WordPress author or administrator account navigates to the author profile or post editor and injects a JavaScript payload (e.g., a cookie-stealing script) into an author-related field. When any site visitor loads a page that renders that author's data, the script silently executes in their browser, exfiltrating session cookies or redirecting the victim to a phishing page. … |
| Remediation | The primary remediation is to update the Hester Core WordPress plugin to a version beyond 1.1.8 - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/hester-core/vulnerability/wordpress-hester-core-plugin-1-1-8-cross-site-scripting-xss-vulnerability for the confirmed fixed release version, as no exact patch version number was independently provided in the available intelligence data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39771
GHSA-792x-cxvp-364w